民生黄金价格查询

Security checks across malware telemetry and agentic risk

Overview

This is a narrow gold-price lookup skill that fetches from a disclosed JD Finance endpoint and stores only a local cache file.

Install only if you are comfortable with the skill making outbound HTTPS requests to JD Finance and writing a local `cache/last_price.json` file. Treat returned prices as informational, not guaranteed trading or financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares no permissions, but its documented behavior clearly requires network access and file reads/writes for caching. This creates a transparency and governance problem: users or hosting platforms cannot accurately assess what the skill can do, and undeclared capabilities can bypass least-privilege review or policy enforcement.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal